feat(mcp): add package-first enterprise mock lab#2670
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
@reachjalil is attempting to deploy a commit to the Different AI Team on Vercel. A member of the Team first needs to authorize it. |
Agent integration rehearsal update — 2026-07-11This source branch is published at e1569ec and was exercised in the independent combined rehearsal, #2675. The rehearsal confirmed the realistic pre-registered ServiceNow-style confidential-client path, the read-only catalog test, distinct credential and provider-permission failures, stable UI row targeting, bounded callback replacement, listener cleanup, fail-closed runtime controls, and operation-only denial and throttling faults. Status remains deliberately separate:
This PR remains based on upstream dev because the controlled parent branch exists only on the Jalil fork. #2674 is the approval ledger; this PR is the source and evidence branch. |
e1569ec to
ababe2a
Compare
Important
Foundation status: automated verification complete; two independent audits found no package blocker. Verified by Jalil: not started. This remains a draft while Jalil reviews it in small, understandable steps.
This PR is now intentionally package-first. It does not modify Den, the existing generic/Gmail mock, or the current MCP UI. The follow-up Den Test connection PR will be stacked on this branch so the reusable test foundation can be accepted first.
Remote checks: all GitHub test/build/i18n/Helm checks passed, including the new enterprise mock safety gate. The three Vercel preview checks report “Authorization required to deploy” for the fork; that is an external preview-access limitation, not a compile or test failure.
Managerial summary
We set out to make enterprise MCP failures reproducible without needing a customer ServiceNow or Microsoft tenant for every development cycle.
The earlier version mixed a mock server, Den connection behavior, UI behavior, and proof code in one change. This revision establishes a cleaner standard:
The practical result is a deterministic local lab where a developer can select a provider shape, inject one precise fault, and prove the exact first phase and error category observed on the wire.
What existed, what was added, and why it matters
@openwork/enterprise-mcp-mock-serverinpackages/enterprise-mcp-mock-server.@openwork-ee/enterprise-mock-labinee/apps/enterprise-mock-lab.Package-first structure
The app imports the package through its public contract. The package does not import Den routes, Den persistence, Den UI, or organization/member concepts.
The existing
scripts/mock-oauth-mcp-server.mjs, Den API/Web paths,turbo.json, and existing Den eval helpers remain byte-identical to currentupstream/devin this PR.Three diagnostic levels
An empty but protocol-valid catalog is reported as a readiness failure, not a connection failure.
For example, the browser proof configures a provider authorization denial and independently observes:
The healthy fixture-conformance probe completes OAuth, MCP initialization, the exact pinned tool-name set, and general schema-validity checks. It explicitly says that it did not execute a provider tool.
Provider profiles and fidelity
All profiles are pinned to fixture version
2026-07-12.1and separately label endpoint, authorization, catalog, schema, result, and transport fidelity..defaultscope and catalog shapePrimary references used by the fixtures:
Safety and correctness
HttpOnly/SameSite=Strictsessions, exact Origin checks, and CSRF tokens.What testing found and how serious it was
requiredkeyword shape, with a direct protocol assertionupstream/dev; final diff contains only two new importersVerification completed
11.4.0./healthreturned the loopback-only service identity; the private root required authentication; SIGINT closed the listener.turbo.json, and older eval paths: zero diff from currentupstream/dev.git diff --check: passed.The new focused GitHub workflow makes the package and lab checks automatic for relevant changes. The browser story remains an intentional review proof rather than an overclaimed live-provider test.
What this PR does not prove
This is the most important boundary:
Those are not hidden failures of the package. They are the next verification layers and must remain explicit before anyone claims live-provider conformance.
Suggested review path for Jalil
Boundary review: confirm the package/app names and that the package is independent from Den and the old mock.
Start the lab:
Open
http://127.0.0.1:8794.Create the Den OAuth row first: use the planned local lab endpoint and pre-registered client, then copy the exact callback Den displays before pressing Connect.
Create one ServiceNow fixture: paste that callback into the lab's exact redirect list, keep it stopped first, inspect the profile/fidelity statements, then start it and Connect from Den.
Inject one fault: choose provider authorization denied and run the fixture-conformance probe. Confirm the expected and observed phase/category match.
Recover: reset, switch to Healthy baseline, apply the new revision, probe again, then delete the instance.
Record Jalil’s decision here: only after this foundation is understood should the Den Test connection branch be reviewed and merged into it.
Stacking and follow-up plan
This PR remains based on
devand is the package-first foundation.The next draft PR will use
feature/mcp-diagnostic-mock-serveras its base and add only the Den administrator Test connection consumer. That review will answer:Live dynamic tracing remains a later layer and should not be merged until the foundation and connection test are separately understood.
Reviewer focus
packages/enterprise-mcp-mock-server/src/index.tsandsrc/contracts/.src/profiles/profiles.ts.src/faults/catalog.ts,src/protocol/, andsrc/testing/probe.ts.src/runtime/.ee/apps/enterprise-mock-lab/src/security.ts,app.ts, andcontrol-plane.ts..github/workflows/ci-enterprise-mcp-mock.yml.